The 2020 Cyber Security Strategy foreshadows an ‘enhanced regulatory framework’ for critical infrastructure. The Strategy identifies three tiers of critical infrastructure that each carry a different set of obligations. At the lower end of the scale are critical infrastructure entities who will not attract additional regulation. A middle tier of ‘regulated critical infrastructure entities’ will be required to meet a ‘positive security obligation’. A third tier, owners of ‘systems of national significance’, will have to meet a ‘positive security obligation’ while also becoming subject to ‘enhanced cyber security obligations’.
What this means and the types of businesses that will be captured in each tier are not spelt out, but organisations with high revenues or that deliver essential services are likely to fall within the second and third tiers. There is also the potential for small and medium businesses to be caught by additional regulation if the framework extends to large organisations’ supply chains.
Existing cyber regulatory frameworks offer an insight into what the 2020 Cyber Security might ultimately deliver. For example, the Australian Prudential Regulation Authority’s CPS 234 requires regulated entities to:
- Clearly define information security related roles and responsibilities within their organisations
- Maintain an information security capability commensurate to the size and threat to their information assets
- Implement controls to protect these assets and undertake regular testing and assurance of the effectiveness of these controls
- Promptly notify the Australian Prudential Regulation Authority of any material security incidents.
At first glance, adopting these requirements would meet a ‘positive security obligation’, especially if their application were extended to cover essential operational technology.
How these obligations would be enforced is an open question, but the precedent set by the Australian Prudential Regulation Authority is a useful guide. CPS 234 holds Boards accountable for lapses in compliance, and it’s likely more general cyber security regulation will adopt this approach.
This would mean that responsibility for cyber security cannot be delegated, and an organisation’s leadership team would be held accountable for breaches of the applicable regulation.
The 2020 Cyber Security Strategy makes clear the Government will consult further on the ‘enhanced regulatory framework’. Through this consultation the sectors and businesses subject to increased cyber security obligations will become more settled, as will the specifics that regulated entities will be required to meet.
Whatever the outcome of this consultation process, the 2020 Cyber Security Strategy also makes clear that Government expects businesses to play greater attention to their cyber security. And because of this, a higher degree of cyber regulation will emerge in one form or another.